> here's a a nice little rule I use. > > # No text part, only an RTF document. Yeah, sure... > > header PAYLOAD_CTYPE_RTF Content-Type =~ /\bname=".+\.rtf"/i > describe PAYLOAD_CTYPE_RTF Payload is an RTF document, no text part > score PAYLOAD_CTYPE_RTF 4.0
I've started using this rule in our organization and it seems to work great so far. I might bump up the scoring in the future however right now I have ours set to 2.5 and it's catching extra spam that would have been let through. If SA decoded and scanned through the attachment, that would be the best option of all however in the meantime, this seems to do the trick. Thanks for the help!
smime.p7s
Description: S/MIME cryptographic signature